Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4232455rdb;
        Thu, 14 Sep 2023 16:32:41 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHwhrtAd3sY4yihYbhH6/7McgVnP0+ZTVnCZuLUXjveELJDsZHG2+tCT/jb9Dx2hE1zZcft
X-Received: by 2002:a05:6a00:179b:b0:68f:cdf3:dd54 with SMTP id s27-20020a056a00179b00b0068fcdf3dd54mr126132pfg.9.1694734360927;
        Thu, 14 Sep 2023 16:32:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694734360; cv=none;
        d=google.com; s=arc-20160816;
        b=kkMF/Dm1XXM/ugHXfvlIGLnHxZuDbRiN8gHsAqhpN02aXsihtYUYXh4jS6Tf6Qndhq
         ttPtaSRv8Xoa7wVbLRq/DgrCCvh5EcCzhqXV2vS1d0Y9Jfa6IyWeQ7ba9QG+/gTJ7uOV
         IUEoqGW6+MdlnsU3n+3DFZofwyYs0WEPflc2d1ctBuQ1nKrXrCEZLRjTkSFAKlYwFbLC
         8iK68DoAmoTAq3RefLEV2MQ/IGH4uoVTUI+ipW3gQ12szYGPZuCXON70ODRK3Nj5UQdy
         H/HD68d2cMBVupDM+QX8KTYaI2iV8Epjdr4OeG1IM4VcCTm2MSUbNvJ8URxaS0MYOL9J
         diog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=6eRAg4BOSXhzdaCM4oFAMYBsORYMTL2ICOv9GCq6ZaA=;
        fh=vLZiHvNyRixTsWRMQQEoUIZneGxtl/+HKmDqv68ZeyE=;
        b=lGoEmzxchzYfaALiITzUNEBT21x3gBydPL4vTroYcH8XjzSehTboKit0x/QcjQL2XO
         fLiHuXT5DnuCWXEuLG2/Gg0OI87ajhaov3gl8Dhvb64HjKGEi7eR/uTpo1/Wk2nxakCC
         LM1sEmR5liYf4V6kbb69yqIEwQj42qVm+IrubsKaFk5thuOt7PQla9KU74WZjEjkZfqz
         agUTAQS7jXxEXpXEoooyDvW+bsVU43oAwmITZ8tD+jDtxT6Un8IxGuQRPA5b9wXQdRJG
         UxXja4vP8DQTL1O39atyrz0/urOSHmGI3YvXdAGslzuLr8a9CZ17HlyK5XtOg7bu82Ty
         23/w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=korg header.b=k8uDcAI3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2])
        by mx.google.com with ESMTPS id u39-20020a056a0009a700b0068e2f6feab4si2458499pfg.374.2023.09.14.16.32.39
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 14 Sep 2023 16:32:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=korg header.b=k8uDcAI3;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id E39A182A68BB;
	Thu, 14 Sep 2023 11:29:21 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240824AbjINS3W (ORCPT <rfc822;benlin170369@gmail.com>
        + 99 others); Thu, 14 Sep 2023 14:29:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44668 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S239368AbjINS3U (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Sep 2023 14:29:20 -0400
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ADD9F1FD7
        for <linux-kernel@vger.kernel.org>; Thu, 14 Sep 2023 11:29:16 -0700 (PDT)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D9921C433C8;
        Thu, 14 Sep 2023 18:29:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
        s=korg; t=1694716156;
        bh=8yfZbzZKag5d7bxNrUSr/lpYoM54Vk26Cn0YqHlXOnU=;
        h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
        b=k8uDcAI3/N9nu9z6RNGz7MTQI7GnzEOueZNNkHePh6pbgMV5izoqp8ZBNnpewTVDZ
         5nvRul9SEPLd+PWL0RLNb1YrboFFPW6PuJ8F8mgIEvVrvrX7W1It5tTUonSluB3mxt
         jHwMGpGX+T7d1JMb+p5mJWINZt/wPMJqJZ+42mSo=
Date:   Thu, 14 Sep 2023 11:29:15 -0700
From:   Andrew Morton <akpm@linux-foundation.org>
To:     Haibo Li <haibo.li@mediatek.com>
Cc:     <linux-kernel@vger.kernel.org>, <xiaoming.yu@mediatek.com>,
        Andrey Ryabinin <ryabinin.a.a@gmail.com>,
        Alexander Potapenko <glider@google.com>,
        Andrey Konovalov <andreyknvl@gmail.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Vincenzo Frascino <vincenzo.frascino@arm.com>,
        Matthias Brugger <matthias.bgg@gmail.com>,
        AngeloGioacchino Del Regno 
        <angelogioacchino.delregno@collabora.com>,
        <kasan-dev@googlegroups.com>, <linux-mm@kvack.org>,
        <linux-arm-kernel@lists.infradead.org>,
        <linux-mediatek@lists.infradead.org>
Subject: Re: [PATCH] kasan:fix access invalid shadow address when input is
 illegal
Message-Id: <20230914112915.81f55863c0450195b4ed604a@linux-foundation.org>
In-Reply-To: <20230914080833.50026-1-haibo.li@mediatek.com>
References: <20230914080833.50026-1-haibo.li@mediatek.com>
X-Mailer: Sylpheed 3.8.0beta1 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 14 Sep 2023 11:29:22 -0700 (PDT)
X-Spam-Status: No, score=-2.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email

On Thu, 14 Sep 2023 16:08:33 +0800 Haibo Li <haibo.li@mediatek.com> wrote:

> when the input address is illegal,the corresponding shadow address
> from kasan_mem_to_shadow may have no mapping in mmu table.
> Access such shadow address causes kernel oops.
> Here is a sample about oops on arm64(VA 39bit) with KASAN_SW_TAGS on:
> 
> [ffffffb80aaaaaaa] pgd=000000005d3ce003, p4d=000000005d3ce003,
>     pud=000000005d3ce003, pmd=0000000000000000
> Internal error: Oops: 0000000096000006 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 3 PID: 100 Comm: sh Not tainted 6.6.0-rc1-dirty #43
> Hardware name: linux,dummy-virt (DT)
> pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : __hwasan_load8_noabort+0x5c/0x90
> lr : do_ib_ob+0xf4/0x110
> ffffffb80aaaaaaa is the shadow address for efffff80aaaaaaaa.
> The problem is reading invalid shadow in kasan_check_range.
> 
> The generic kasan also has similar oops.
> 
> To fix it,check shadow address by reading it with no fault.
> 
> After this patch,KASAN is able to report invalid memory access
> for this case.
> 

Thanks.

> --- a/mm/kasan/kasan.h
> +++ b/mm/kasan/kasan.h
> @@ -304,8 +304,17 @@ static __always_inline bool addr_has_metadata(const void *addr)
>  #ifdef __HAVE_ARCH_SHADOW_MAP
>  	return (kasan_mem_to_shadow((void *)addr) != NULL);
>  #else
> -	return (kasan_reset_tag(addr) >=
> -		kasan_shadow_to_mem((void *)KASAN_SHADOW_START));
> +	u8 *shadow, shadow_val;
> +
> +	if (kasan_reset_tag(addr) <
> +		kasan_shadow_to_mem((void *)KASAN_SHADOW_START))
> +		return false;
> +	/* use read with nofault to check whether the shadow is accessible */
> +	shadow = kasan_mem_to_shadow((void *)addr);
> +	__get_kernel_nofault(&shadow_val, shadow, u8, fault);
> +	return true;
> +fault:
> +	return false;
>  #endif
>  }

Are we able to identify a Fixes: target for this? 
9d7b7dd946924de43021f57a8bee122ff0744d93 ("kasan: split out
print_report from __kasan_report") altered the code but I expect the
bug was present before that commit.

Seems this bug has been there for over a year.  Can you suggest why it
has been discovered after such a lengthy time?